The Microsoft Internet Security Framework: Overview
June 4, 1996
This paper is intended for corporate developers and consultants, independent software vendors (ISVs), network operators, and Webmasters who are interested in the convergence of the corporate intranet and the public Internet. It describes the Microsoft Internet Security Framework--a comprehensive platform that gives you the ability to:
- Exchange information securely across public networks.
- Control access from the public networks to the corporate network.
- Engage in electronic commerce.
The Microsoft Internet Security Framework accomplishes all this without requiring you to replace your existing systems. Instead, it builds on the Windows® operating system security model and extensible architecture.
(Readers who are unfamiliar with public-key cryptography may first want to read the "Core Technology" appendix after downloading the entire White Paper.)
Download Microsoft Word (.DOC) format of this document (zipped, 91.7K).
Introduction
The security paradigms in the world of the corporate network, or intranet, and the world of the public Internet have followed different paths. This is because of the differences in their computing environments. For example, an intranet typically has:
- A known number of users who are authenticated by the system.
- A trusted administrator who keeps information about the users.
- A central administration model with finely-tuned access controls.
- A set of administrative and user management tools for overseeing the entire network.
- A large investment in the existing security technology.
On the other hand, the Internet:
- Is used by a vast number of people who were previously unknown.
- Has no central administration to oversee access and security.
- Is a distributed, cross-platform network.
- Uses new, rapidly evolving technology.
Yet despite these difficulties, the pressures both for gaining access to the Internet, and for allowing access to the corporate networks from the Internet, are great. Many companies are already granting access to their networks despite the security problems. They do this because of the benefits they gain from this sort of cooperation with their customers. These benefits include:
- Increasing sales by creating new sales channels and reaching new customers.
- Forming closer relationships with customers, partners, and suppliers. This results in better products that are brought to market faster.
- Better customer service which means more business from customers.
- Better margins, which result from (a) lowering the costs of bringing a product to market and (b) lowering the cost-per-sale for both repeat and new business.
- Gaining an edge by offering access before competitors do.
- Delivering faster, personalized service.
- Improving distribution.
- Improving the customers' experience.
Currently, this convergence of the intranet and the Internet has created confusion. Security tools are immature and complete solutions are difficult to create. This often results in security measures that are a laundry list of the following:
- Firewalls.
- Proxy servers.
- Password-based security.
- Customized access controls.
And even worse, sometimes there is no security at all.
To take advantage of the potential the new world offers, businesses must be able to:
- Open up their corporate networks to the Internet while still maintaining control over who accesses their internal resources.
- Identify and authenticate customers who use the Internet to access their corporate networks. This includes customers using both e-mail and pipes.
- Ensure that private information sent over the public Internet can be transmitted securely.
The Goal
The goal is this: The environment created by the convergence of the public and private networks should be a place where systems can be extended to take advantage of new opportunities while still preserving investments in the existing systems. This environment must behave as an intelligent, secure network for distributing business-to-business applications. It must have:
- Secure exchange of information.
- Secure transactions to conduct electronic commerce.
- A way of controlling access to content.
- A distributed authentication technology based on passwords.
The Microsoft Internet Security Framework Philosophy
The philosophy behind the Microsoft Internet Security Framework is to achieve this goal by using the best of existing technologies as a platform, and to extend them to encompass new technologies. This provides a comprehensive framework for secure online communications and electronic commerce. Issues of identity, authentication, and authorization are addressed using public-key and password-based technologies. These technologies can, when appropriate, be integrated with the Windows and Windows NT® operating system. The extensible security framework conforms to and takes advantage of Internet standards and protocols.